APT19 is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. In 2017, a phishing campaign was used to target seven law and investment firms.  Some analysts track APT19 and Deep Panda as the same group, but it is unclear from open source information if the groups are the same.   
Associated Group Descriptions
|Enterprise||T1043||Commonly Used Port||APT19 used TCP port 80 for C2.|
|Enterprise||T1132||Data Encoding||An APT19 HTTP malware variant used Base64 to encode communications to the C2 server.|
|Enterprise||T1140||Deobfuscate/Decode Files or Information||An APT19 HTTP malware variant decrypts strings using single-byte XOR keys.|
|Enterprise||T1073||DLL Side-Loading||APT19 launched an HTTP malware variant and a Port 22 malware variant using a legitimate executable that loaded the malicious DLL.|
|Enterprise||T1189||Drive-by Compromise||APT19 performed a watering hole attack on forbes.com in 2014 to compromise targets.|
|Enterprise||T1031||Modify Existing Service||An APT19 Port 22 malware variant registers itself as a service.|
|Enterprise||T1112||Modify Registry||APT19 uses a Port 22 malware variant to modify several Registry keys.|
|Enterprise||T1027||Obfuscated Files or Information||APT19 used Base64 to obfuscate commands and the payload.|
|Enterprise||T1086||PowerShell||APT19 used PowerShell commands to execute payloads.|
|Enterprise||T1060||Registry Run Keys / Startup Folder||
An APT19 HTTP malware variant establishes persistence by setting the Registry key
|Enterprise||T1117||Regsvr32||APT19 used Regsvr32 to bypass application whitelisting techniques.|
|Enterprise||T1085||Rundll32||APT19 configured its payload to inject into the rundll32.exe.|
|Enterprise||T1064||Scripting||APT19 downloaded and launched code within a SCT file.|
|Enterprise||T1193||Spearphishing Attachment||APT19 sent spearphishing emails with malicious attachments in RTF and XLSM formats to deliver initial exploits.|
|Enterprise||T1071||Standard Application Layer Protocol||APT19 used HTTP for C2 communications. APT19 also used an HTTP malware variant to communicate over HTTP for C2.|
|Enterprise||T1082||System Information Discovery||APT19 collected system architecture information. APT19 used an HTTP malware variant and a Port 22 malware variant to gather the hostname and CPU information from the victim’s machine.|
|Enterprise||T1016||System Network Configuration Discovery||APT19 used an HTTP malware variant and a Port 22 malware variant to collect the MAC address and IP address from the victim’s machine.|
|Enterprise||T1033||System Owner/User Discovery||APT19 used an HTTP malware variant and a Port 22 malware variant to collect the victim’s username.|
|Enterprise||T1204||User Execution||APT19 attempted to get users to launch malicious attachments delivered via spearphishing emails.|
- Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018.
- Scott, J. and Spaniel, D. (2016, July 28). ICIT Brief - China’s Espionage Dynasty: Economic Death by a Thousand Cuts. Retrieved June 7, 2018.
- FireEye. (n.d.). Advanced Persistent Threat Groups. Retrieved August 3, 2018.
- Grunzweig, J., Lee, B. (2016, January 22). New Attacks Linked to C0d0so0 Group. Retrieved August 2, 2018.
- The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
- Chickowski, E. (2015, February 10). Chinese Hacking Group Codoso Team Uses Forbes.com As Watering Hole. Retrieved September 13, 2018.